Google says “attackers are intensifying their phishing and credential theft methods” with an “exponential rise in cookie and authentication token theft as a preferred method.” To counter, Google recommends passkey adoption, which is now “generally available to more than 11 million Google Workspace customers.” Admins can passkey audit enrollment and restrict to physical security keys. Compared to passwords, they cannot be “guessed, stolen, or forgotten.” Phishing resistance: Passkeys are inherently more phishing-resistant because users cannot be tricked into handing over passkeys to a malicious actor. Ease of use: Signing in with passkeys is as simple as unlocking your device, such as using a PIN or biometrics such as a fingerprint or facial recognition. Strong security: Unlike passwords that are often re-used, each passkey is unique and generated for each specific website or service. Google says “signing in with passkeys is 40% faster than passwords for Workspace users.” To date, we have millions of users across enterprises, nonprofits, and educational institutions benefiting from using passkeys. Meanwhile, Google also wants to combat cookie theft with Device Bound Session Credentials. DBSC “helps bind a session cookie — small files used by websites to remember user information — to the device a user authenticated from.” This is available in Chrome for Windows, with only the originating device able to access the active session. Some Workspace customers are already using it to protect their end users. Google’s other effort to reduce cookie theft is the Shared Signals Framework (SSF). This framework acts as a robust system for “transmitters” to promptly inform “receivers” about significant events, facilitating a coordinated response to security threats.